MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696
SHA3-384 hash:	6916cfa8718c0231ccfb9af0c5830cf150224754dd871f79390e91f75fe2e661bdc3476af127826500bd8b9613420d8d
SHA1 hash:	632bac3daba9786f0d2c8fcf2ecac6bd45817dae
MD5 hash:	c0909339442d5c3b929dc090bb6d63f2
humanhash:	montana-sodium-two-purple
File name:	setup.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	325'120 bytes
First seen:	2023-04-27 00:07:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cef248a5f7f51291a488c3a64841460c (2 x Vidar, 1 x RedLineStealer, 1 x Smoke Loader)
ssdeep	6144:IRjS8YPuYVdFbbbT4c3PS8m7Rn1VTBPT5:Mu80Xhm11lBb5
Threatray	1'566 similar samples on MalwareBazaar
TLSH	T1B064F1117AF0CCA6D46389398864C1F4BA7FB8539B65E6B337483F5F6C31281D9AA350
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0049414543014101 (1 x Vidar)
Reporter	Chainskilabs
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

265

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2023-04-27 00:07:49 UTC

Tags:

stealer vidar trojan

Link:

https://app.any.run/tasks/121c4a6f-968b-4e4d-941c-853132253a54

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/385124/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Creating a process from a recently created file

Searching for analyzing tools

Searching for the window

Creating a file in the %AppData% subdirectories

Running batch commands

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Launching a process

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/81579/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6449bce58615b5d32a53564c/reports/c6c817d0-879b-4234-8724-71b087cca1c5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/63984493-27ef-4c71-99f2-f8725a0c03ec

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1221887

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-04-26 16:28:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iqv4g6je3dmwfwrbsu4dp32harbfnum5titcaied43txyfipy2la._file

Verdict:

malicious

Vidar

558da56234404dd337be2a22e2493aa6c140b7688e58a17236dc95da0e5162eb

Vidar

722e5c23eff7116dead7e70f52673519604efa15a2743939034cb2fccd1c4672

Vidar

797575606aa8f510d7d84596fcc81180354f0b65ec50ed5864ad6c18d15f3086

Vidar

8e517eff9f5660d37b9eea72e56a3133e85889a36f7ffea1b11a1e31f8baf001

Vidar

bdcc0932f31bf8478356b9d2df3e6613385dfcd6f1179a70300430d5759298d5

Vidar

c73c5027ec11576250105ea0664c33a51f3a19901c6bcbfd84d88c94f3482435

Vidar

dbf43bdb056da5d571f703a9f14a5b89eed377e0888a695ff4b8b066febb558e

Vidar

fc02a63e0ca8682216bd68c561a4923f9f1828a0fd5978160282f52b777ebc8f

Vidar

+ 1'556 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:laplas family:vidar botnet:2234cb18bdcd93ea6f4e5f1473025a81 clipper discovery evasion persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/230427-aexldacf45/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

GoLang User-Agent

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Downloads MZ/PE file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Laplas Clipper

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199497218285
https://t.me/tg_duckworld
http://89.23.97.128

Unpacked files

SH256 hash:

86b6471699740e009dd754d8094132adbcbab400b3c04d27f100e82df312bd12

MD5 hash:

f8a9a8d2d99d81315230ad03cde33cd2

SHA1 hash:

10c5d88a09581f7d57e87655665a6d2c565969dd

Detections:

VidarStealer

Link:

https://www.unpac.me/results/a50cbdd2-10b0-4ea7-a24b-7fa8e1dc527c/

Parent samples :

d1006e8c4e1a70535c19a92bd80f3b5a7188e5089157725b0f37e0c5cac391fe
83e593364f1beb5811a8a29f95e5a3b674cf3eba6fd8bcf5a5231d9c668a8987
d927d33966be61de99eba33be4efb7b09ac5348e17caadf92dbcc094a8ad663f
1b50395ebaae62aa4ad19a514a0cda4b8f74aa915dfe0c0df49a3aee08c605b7
797575606aa8f510d7d84596fcc81180354f0b65ec50ed5864ad6c18d15f3086
3c1ebdf7ddc8c5332ff02def398851eecee1329326f851e9adc135a6a25e4e98
722e5c23eff7116dead7e70f52673519604efa15a2743939034cb2fccd1c4672
fc02a63e0ca8682216bd68c561a4923f9f1828a0fd5978160282f52b777ebc8f
37f90d14d9b6dbc7813b30dea8379637336a2e8219110dd0c479f2dc5d7a5fd5
7564e44c0b07a0f161c5a245ba8f2029ea70a297a5f9944c4c786a75f1e8524a
005dce2ddcdfce4418c7782afe3d59d6ee9cb8a3f0a9f303ebf92b60151aa55e
bdcc0932f31bf8478356b9d2df3e6613385dfcd6f1179a70300430d5759298d5
2c3399c0b13dde9c28a4bbcbd0c45a61238736d09123c838e1a8765194874c30
354a1d3180f92329cae26075d2a152561df4d9bb2b8254b50ac4b97c7ee89e06
442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696
d3564cf77d63b9b2ec8cf914958453f19e0d1032f4ea4665fe05b2284decfb0a
d63913dd7bb4c567c5e752149ebd9f90023a34f49b75a585e6f67c6834dc24a0
67770d3ab80bd1d5d9c2be66f5bb8084f61c15a3060f84cdba21852e9609eb64
54fe4ead4f5851ffdd4ee657632740a6095f362a34d593b04dbf0a2b339fc4c6
be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0
fa3dc6c4c0ce44fcaf84b68d5578976bd0f6c5ace4a4c57d6a9c39d2ca5eab47
9b18f5731f338a90ca3a226572e21c2c958c345d6adfa40f8b012a79f412dae5
aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128
1a945013489a88af369312fbce20f6701fb0df180e29113533d1cab036ce66a6
396ae4c1158897e71763b09fe32b147bba5414531a46c53b11ff8ccbd4589d6f
e6e4ba6207c487fbd207a88cd71d12203e8899daf72a6819131aa805fb0c4444
d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9

SH256 hash:

442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696

MD5 hash:

c0909339442d5c3b929dc090bb6d63f2

SHA1 hash:

632bac3daba9786f0d2c8fcf2ecac6bd45817dae

Link:

https://www.unpac.me/results/a50cbdd2-10b0-4ea7-a24b-7fa8e1dc527c/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/442bc37924d8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Telegram_Links Create hunting rule

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_vidar_a_a901 Create hunting rule
Author:	Johannes Bader
Description:	detect unpacked Vidar samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe 442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2617926/

URLhaus

https://urlhaus.abuse.ch/url/2615191/

URLhaus

https://urlhaus.abuse.ch/url/2605501/

Cape

https://www.capesandbox.com/analysis/385124/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample